Security Bulletin: Multiple Security Vulnerabilities in IBM HTTP Server (CVE-2017-7679, CVE-2017-7668, CVE-2017-3167)

Summary

There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2017-7679**
DESCRIPTION:** Apache HTTPD could allow a remote attacker to obtain sensitive information, caused by a buffer overread in mod_mime. By sending a specially crafted Content-Type response header, a remote attacker could exploit this vulnerability to read one byte past the end of a buffer.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127420 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-7668**
DESCRIPTION:** Apache HTTPD is vulnerable to a denial of service, caused by a buffer overread in the ap_find_token() function. By sending a specially crafted sequence of request headers, a remote attacker could exploit this vulnerability to cause a segmentation fault.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127419 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-3167**
DESCRIPTION:** Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the use of the ap_get_basic_auth_pw() function by third-party modules outside of the authentication phase. A remote attacker could exploit this vulnerability to bypass authentication requirements.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127416 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

These vulnerabilities affect the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.

• Version 9.0
• Version 8.5
• Version 8.0
• Version 7.0

Remediation/Fixes

The CVE’s above are contained in 3 separate APARs

PI82260 for CVE-2017-3167
PI82263 for CVE-2017-7668
PI82481 for CVE-2017-7679
However we have combined these 3 APARs into one interim fix PI82481 for you to apply.

For V9.0.0.0 through 9.0.0.4:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI82481

--OR–
· Apply Fix Pack 9.0.0.5 or later.

**
For V8.5.0.0 through 8.5.5.11:**

If you do not install the interim fix please note that: CVE-2017-3167 and CVE-2017-7668 will be shipped in fixpack 8.5.5.12 available 21 July 2017. CVE-2017-7679 will be shipped in fixpack 8.5.5.13 (targeted availability 05 February 2018).

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI82481

--OR–
· Apply Fix Pack 8.5.5.12 or 8.5.5.13 as noted above.

**
For V8.0.0.0 through 8.0.0.13:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI82481

--OR–
· Apply Fix Pack 8.0.0.14 or later.

**
For V7.0.0.0 through 7.0.0.43:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI82481

--OR–
· Apply Fix Pack 7.0.0.45 or later.

Workarounds and Mitigations

none